Netfilter and Poptop ( and stuff ... )

Netfilter and Poptop ( and stuff ... )

[Seferovic Edvin]

[-- Attachment #1: Type: text/plain, Size: 1760 bytes --]

Hi,

 

first of all - excuse me for mailing this to two mailing lists at once, but
I am hoping to get more answers from your experience with poptop and
netfilter. 

 

Here is my situation - I've configured a gateway with poptop ( which uses
RADIUS for auth/acct - which again uses LDAP as auth-backend and mySQL for
accounting ). This gateway has 2 internal and one external interface ( with
public routeable IP address ). One internal interface is used to build a
restricted network for unknown machines, and the second one is used as a
gateway for the known machines. Now - I would like allow my VPN users
internet access, but not to all machines on the internal network. So I have
to use NAT on the tunnel endpoints ( ppp+ interfaces ), right? 

 

I wanted to make this easy as possible, but as always - I took the wrong
turn... probably by choosing Firewall Builder to help me get my firewall set
up. I achived everything, but I cannot configure ppp+ interfaces in
FW-Builder? Does anyone has a hint for me? Is this possible anyway ( please
don't tell me I have to configure 150 ppp interfaces in FW-Builder ) ??? 

 

I suppose it would be more secure to enter a firewall rule every time a ppp
interface comes up ( by using scripts like ip-up from pppd )? Do I have to
enter a NAT rule for each interface then? Any performance thought when
having 150+ interfaces at the same time? 

 

Nevertheless I would also like to redirect http traffic going from a NATed
ppp+ interface to my squid process - how does this combined rule looks like?


 

Sorry for this huge eMail, and amateur questions.. I hope at least a few of
the gurus out there will be able and willing to help me out...

 

Thank You in advance !

 

Regards,

 

Edvin Seferovic

 

 

 


[-- Attachment #2: Type: text/html, Size: 5810 bytes --]

Re: Netfilter and Poptop ( and stuff ... )

[Phil Oester]

On Mon, Oct 10, 2005 at 08:28:37AM +0200, Seferovic Edvin wrote:
> I wanted to make this easy as possible, but as always - I took the wrong
> turn... probably by choosing Firewall Builder to help me get my firewall set
> up. I achived everything, but I cannot configure ppp+ interfaces in
> FW-Builder? Does anyone has a hint for me? Is this possible anyway ( please
> don't tell me I have to configure 150 ppp interfaces in FW-Builder ) ??? 

If FW-Builder cannot handle the ppp+ syntax which is legal in iptables,
I'd say that's a bug.  Report it to maintainer.

Phil


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

RE: Netfilter and Poptop ( and stuff ... )

[Seferovic Edvin]

Hi,

thank you for any suggestions on my topic. Now Ive realized what is
FW-Builder actually doing and I would like to hear your opinion. 

When I create interfaces in FW-Builder, the created script ( iptables script
generated by fw-builder ) gets the IP address of the used interfaces by
using 

ip -4 addr show dev "interface"

which results as "no such interface" for a non-existing ppp tunnel end
point! To use NAT for all packet from my ppp interfaces, fw-builder
generates following 

-A POSTROUTING -o eth0 -s $i_ppp -j SNAT --to-source my_ext_ip

This rule apparently works only with IP addresses after the "-s" option,
right? Ive tried to use this rule for all my ppp interfaces by using

-A POSTROUTING -o eth0 -s ppp+ -j SNAT.... but is says that ppp+ is unknown,
so I suppose iptables require an ip/host entry here... can anyone tell me
how to get all my PPP interfaces masqueraded on interface eth0?

Regards,

Edvin Seferovic
-----Original Message-----
From: poptop-server-admin@lists.sourceforge.net
[mailto:poptop-server-admin@lists.sourceforge.net] On Behalf Of Phil Oester
Sent: Montag, 10. Oktober 2005 17:16
To: Seferovic Edvin
Cc: netfilter@lists.netfilter.org; poptop-server@lists.sourceforge.net
Subject: Re: [Poptop-server] Netfilter and Poptop ( and stuff ... )

On Mon, Oct 10, 2005 at 08:28:37AM +0200, Seferovic Edvin wrote:
> I wanted to make this easy as possible, but as always - I took the wrong
> turn... probably by choosing Firewall Builder to help me get my firewall
set
> up. I achived everything, but I cannot configure ppp+ interfaces in
> FW-Builder? Does anyone has a hint for me? Is this possible anyway (
please
> don't tell me I have to configure 150 ppp interfaces in FW-Builder ) ??? 

If FW-Builder cannot handle the ppp+ syntax which is legal in iptables,
I'd say that's a bug.  Report it to maintainer.

Phil


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Re: Netfilter and Poptop ( and stuff ... )

[/dev/rob0]

On Monday 2005-October-10 01:28, Seferovic Edvin wrote:
> I would like allow my VPN users internet access, but not to all

This seems odd. Didn't they already have Internet access to connect to 
your pptpd?

> machines on the internal network. So I have to use NAT on the tunnel
> endpoints ( ppp+ interfaces ), right?

SNAT allows clients to use non-public IP addresses. It is one condition 
which must be satisfied, but it is not all. You also must have rules in 
FORWARD to DROP/REJECT traffic to the internal network from ppp+ and 
then to ACCEPT traffic from ppp+ to anywhere.

> I wanted to make this easy as possible, but as always - I took the
> wrong turn... probably by choosing Firewall Builder to help me get my
> firewall set up. I achived everything, but I cannot configure ppp+
> interfaces in FW-Builder? Does anyone has a hint for me? Is this

Type the command at the command line?

> possible anyway ( please don't tell me I have to configure 150 ppp
> interfaces in FW-Builder ) ???

I am not familiar with it. If you are saying that it rejects the ppp+ 
syntax to specify all PPP interfaces, then indeed that sounds like a 
serious bug

> I suppose it would be more secure to enter a firewall rule every time
> a ppp interface comes up ( by using scripts like ip-up from pppd )?

That would be appropriate for more fine-grained control. If all ppp+ 
traffic is to be treated the same, I think a single blanket rule makes 
more sense.

> Do I have to enter a NAT rule for each interface then? Any

No.

> performance thought when having 150+ interfaces at the same time?

Not terribly efficient, but I doubt you would see a performance impact 
with that.

> Nevertheless I would also like to redirect http traffic going from a
> NATed ppp+ interface to my squid process - how does this combined
> rule looks like?

The example in the squid documentation is perfect, just adjust it to 
suit your needs. You might want -s sourcerange/netmask and of course 
the input interface, -i ppp+. If by "combined" you mean the same rule 
as is doing the SNAT, no, that is not so. The HTTP proxying is done 
using DNAT or REDIRECT target in the PREROUTING chain. SNAT is in 
POSTROUTING.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Netfilter and Poptop ( and stuff ... )

[Seferovic Edvin]

Hi,

 

first of all - excuse me for mailing this to two mailing lists at once, but
I am hoping to get more answers from your experience with poptop and
netfilter. 

 

Here is my situation - I've configured a gateway with poptop ( which uses
RADIUS for auth/acct - which again uses LDAP as auth-backend and mySQL for
accounting ). This gateway has 2 internal and one external interface ( with
public routeable IP address ). One internal interface is used to build a
restricted network for unknown machines, and the second one is used as a
gateway for the known machines. Now - I would like allow my VPN users
internet access, but not to all machines on the internal network. So I have
to use NAT on the tunnel endpoints ( ppp+ interfaces ), right? 

 

I wanted to make this easy as possible, but as always - I took the wrong
turn... probably by choosing Firewall Builder to help me get my firewall set
up. I achived everything, but I cannot configure ppp+ interfaces in
FW-Builder? Does anyone has a hint for me? Is this possible anyway ( please
don't tell me I have to configure 150 ppp interfaces in FW-Builder ) ??? 

 

I suppose it would be more secure to enter a firewall rule every time a ppp
interface comes up ( by using scripts like ip-up from pppd )? Do I have to
enter a NAT rule for each interface then? Any performance thought when
having 150+ interfaces at the same time? 

 

Nevertheless I would also like to redirect http traffic going from a NATed
ppp+ interface to my squid process - how does this combined rule looks like?


 

Sorry for this huge eMail, and amateur questions.. I hope at least a few of
the gurus out there will be able and willing to help me out...

 

Thank You in advance !

 

Regards,

 

Edvin Seferovic